The California Data Breach Report "provides an analysis of the databreaches reported to the California attorney general from 2012-2015."In nearly all cases, the breaches exploited vulnerabilities for whichfixes had been available for more than a year. California state lawstates,

Quote

"A business that owns, licenses, or maintains personalinformation about a California resident shall implement and maintainreasonable security procedures and practices appropriate to the natureif the information." The report goes on to say that organizations thatdo not implement the Center for Internet Security's (CIS) 20 CriticalSecurity Controls would be found to demonstrate "a lack or reasonablesecurity."